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We present a security analysis of the recently introduced Quantum Private Query (QPQ) protocol. 
It is a cheat sensitive quantum protocol to perform a private search on a classical database. It allows 
a user to retrieve an item from the database without revealing which item was retrieved, and at 
the same time it ensures data privacy of the database (the information that the user can retrieve 
in a query is bounded and does not depend on the size of the database). The security analysis is 
based on information-disturbance tradeoffs which show that whenever the provider tries to obtain 
information on the query, the query (encoded into a quantum system) is disturbed so that the person 
querying the database can detect the privacy violation. 



PACS numbers: 03.67.Lx, 03.67.Dd, 03.67.Mn 



I. INTRODUCTION 

In its most basic form, the scenario we consider can be 
described as follows. On one side we have a provider, 
Bob, who controls an ordered classical database com- 
posed of = 2" memory cells. Each cell of the data- 
base contains an m bit string, so that the database con- 
sists of N strings Ao,Ai,--- , Ajy^i. On the other side, 
we have the person querying the database, Alice, who 
wants to recover the string associated with a memory 
cell (say the j-th one) but at the same time does not 
want Bob to know which cell she is interested in (user 
privacy). In a purely classical setting the simplest strat- 
egy for Alice consists in placing a large number of decoy 
queries, i.e. she "hides" her query among a large num- 
ber M — 1 of randomly selected queries. In this case, 
she will be able to get the information she is looking 
for, while limiting Bob's intrusion in her privacy. [In 
fact, the mutual information between Alice's true query 
j and Bob's estimate of such value is upper bounded by 
log2(A^/M) - (M - l)/Mlog2((A^ - 1)/(M - 1))]. The 
drawbacks associated with such procedures are evident. 
First of all, the method does not allow Alice to check 
whether Bob is retaining information on her queries. 
Moreover, to achieve a high level of privacy Alice is forced 
to submit large amounts of fake queries, increasing the 
communication cost of the transition: in particular, ab- 
solute privacy is obtained only for M = N, i.e. by asking 
Bob to send all his database. This may not be acceptable 
if the database is huge or if it is an asset for Bob {data 
privacy). 

User and data privacy are apparently in conflict: the 
most straightforward way to obtain user privacy is for Al- 
ice to have Bob send her the entire database, leading to 
no data privacy whatsoever. Conversely, techniques for 
guaranteeing the server's data privacy typically leave the 
user vulnerable [l|. At the information theoretical level, 
this problem has been formalized as the Symmetrically- 
Private Information Retrieval (SPIR) generalizing the 
Private Information Retrieval (PIR) problem [3, ^] which 



deals with user privacy alone. SPIR is closely related 
to oblivious transfer [J|, in which Bob sends to Alice N 
bits, out of which Alice can access exactly one- which 
one. Bob doesn't know. No efficient solutions in terms of 
communication complexity Q are known for SPIR. In- 
deed, even rephrasing them at a quantum level [6, 7] , the 
best known solution for the SPIR problem (with a single 
database server) employs 0{N) qubits to be exchanged 
between the server and the user, and ensures data pri- 
vacy only in the case of honest users (i.e. users who do 
not want to compromise their chances of getting the in- 
formation about the selected item in order to get more). 
Better performance is obtained for the case of multiple 
non-mutually communicating servers i^l (although the 
user cannot have any guarantee that the servers are not 
secretly cooperating to violate her privacy), while sub- 
linear communication complexity is possible under the 
some computational complexity assumption, e.g. 3]. PIR 
admits protocols that are more efficient in terms of com- 
munication complexity 0, 0] . 

The Quantum Private Queries (QPQ) protocol we have 
introduced in Rcf. 8] is a cheat sensitive strategy 
which addresses both user and data privacy while al- 
lowing an exponential reduction in the communication 
and computational complexity with respect to the best 
(quantum or classical) single-server SPIR protocol pro- 
posed so far. Specifically QPQ provides a method to 
check whether or not Bob is cheating and does not need 
the exchange of the whole database (i.e. 0{N) qubits): 
in its simplest form it only requires Bob to transfer two 
database elements, identified by 0(log N) qubits, for each 
query. The QPQ protocol is ideally composed by a pre- 
liminary signaling stage where the user and the database 
provider exchange some quantum messages (specifically 
Alice addresses Bob receiving some feedback from him) 
and by a subsequent retrieval& check stage where Alice 
performs some simple quantum information processing 
on the received messages to recover the information she 
is interested in and to check Bob's honesty. The QPQ 
security relies on the fact that if Bob tries to infer the 
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query Alice is looking for, she has a nonzero probability of 
discovering it. Most importantly, one can verify that the 
more information Bob gets on Alice query, the higher is 
the probability that he will not pass Alice's honesty test. 
In this paper we will derive analytical bounds for such a 
theoretical trade-off, and we analyze different variants of 
the QPQ protocol. 

The main idea behind the protocol is the following. 
Alice submits her request to Bob using some quantum 
information carrier, so that she can either submit a 
plain query \j) or a quantum superposition of different 
queries a\j) + Alice randomly alternates super- 

posed queries and non-superposed queries. Thus, Bob 
does not know whether the request he is receiving at any 
given time is a superposition of queries or not, so that 
he does not know which measurement will leave the in- 
formation carrier unperturbed: he cannot extract infor- 
mation without risking to introduce a disturbance that 
Alice can detect. Bob can, however, respond to Alice's 
request without knowing which kind of query was sub- 
mitted. His response will be either of the form or 
of the form a|j)|^j) + where the first ket is 

the register that Alice had sent him, the second ket is a 
register that contains Bob's answer {Ai being the answer 
to the ith query), and which may be entangled with the 
first. From these answers Alice can both obtain the reply 
to her query and check that Bob has not tried to breach 
her privacy. 

The main assumption we adopt is that, for each j, 
there exists a unique answer string Aj that can be in- 
dependently checked by Alice. [This does not prevent 
different queries from having the same answer: indeed 
we do admit the possibility to have Aj = Aj' for j ^ j'.] 
For example, Alice may be asking Bob the prime fac- 
tors of one out of N very large integer numbers (say the 
RSA collection) which she cannot factorize by herself. 
The above requirements can be relaxed (examples will be 
provided in Sec. IVIljl . but they are useful as they permit 
a considerable simplification of the security proof. For 
the same reason, we will focus on the simplest version of 
the QPQ protocol, where there exists a reference query 
(dubbed rhetoric query) which has a known standard 
answer Aq. As discussed in Ref. this assumption is 
not fundamental, but it is very useful since it allows us 
to minimize the amount of exchanged signals in the pro- 
tocol (as a matter of fact alternative versions of the QPQ 
protocol with higher security level can be devised which 
do not employ the rhetoric query). 

The paper is organized as follows. In Sec. |TT] we de- 
scribe the rhetoric version of QPQ in its basic form and 
introduce the notation. This is followed by the techni- 
cal Sec, mil where we analyze in detail the most general 
transformations Bob can perform on Alice's queries. Sec- 
tion IIVI contains the main result of the paper: here we 
introduce the trade-off between Bob's information on Al- 
ice's query and the success probability of him passing her 
honesty test. In Sec.|V]we present some variations of the 
QPQ protocol, one of which exploits entanglement as a 
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FIG. 1: Scheme of the QPQ protocol with rhetoric questions. 
Alice wants to find out the jth record of Bob's database (com- 
posed of = 2" records). She then prepares two n-qubit 
registers. The first contains the state |j)Q, while the second 
contains the quantum superposition (|j)Q + |0)q)/\/2 between 
her query and the rhetoric question "0" , to which she knows 
the standard answer Aq. She then sends, in random order 
(i.e. randomly choosing either scenario a or scenario b), these 
two registers to Bob, waiting for his first reply before sending 
the next register. Bob uses each of the two registers to inter- 
rogate his database using a qRAM device, which records the 
reply to her queries in the two "reply" registers R. At the 
end of their exchange, Alice possesses the states \3)Q\Aj)R 
and (|i)Q|^j)fl + |0)Q|Ao)i?)/V2, where the Aj is the content 
of the jth record in the database. By measuring the first she 
obtains the value of Aj^ with which she can check whether 
the superposition in the second state was preserved. If this 
is not the case, then she can be confident Bob that Bob has 
violated her privacy, and has tried to obtain information on 
what J was. 



resource to strengthen Alice's privacy. Finally in Sec. IVII 
we analyze what happens when relaxing some of the as- 
sumptions adopted in the security proof. In particular we 
show that the basic version of the QPQ described here 
does not guarantee privacy if the queries have multiple 
answers, and we point out a possible solution in Sec. lVIII 



II. PRELIMINARIES AND NOTATION 

In the rhetoric version of the QPQ protocol (see Fig.[T]) 
Alice uses two quantum registers each time she needs 
to interrogate Bob's database. The first register con- 
tains the address of the database memory cell she is 
interested in; the other register is prepared in a quan- 
tum superposition of the type (|j) -I- |0))/-\/2, "0" be- 
ing the rhetoric query. Alice then secretly and randomly 
chooses one of the two registers and sends it to Bob. 
He returns the register Alice has sent to him, together 
with an extra register in which the corresponding an- 
swer is encoded. In order to reply to Alice's query with- 
out knowing whether it is the superposed query or not. 
Bob needs to employ th e q uantum random access mem- 
ory (qRAM) algorithm [ij llH ■ After Alice has received 
Bob's first reply, she sends her second register and waits 
for Bob's second reply. Again Bob returns her register 
together with an extra register which encodes his reply 
obtained through a qRAM application. If Bob has fol- 
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lowed the protocol accurately, without trying to extract 
information, Alice now should possess a state which en- 
codes the information she is looking for and an entan- 
gled state involving the rhetoric query, whose coherence 
can be tested to check Bob honesty, i.e. the two states 
\j)\A^j) and {\j)\Aj) + |0) | Ao))/\/2. Alice recovers the 
value of Aj by measuring the second register in the first 
state, and then she uses this value to prepare a measure- 
ment to test whether the superposition has been retained 
in the second state ("honesty test"). Such a measure- 
ment is simply a projective measurement on the state 
{\j)\Aj) + |0)|Ao))/V2. If this test fails, namely if she 
finds out that the state Bob has sent her back is orthog- 
onal to the one she is expecting, she can be confident that 
Bob has cheated and has violated her privacy. If, instead, 
the test passes, she cannot conclude anything. In fact, 
suppose that Bob has measured the state and collapsed 
it to the form or to the form |0)|ylo), it still has 

a probability 1/2 to pass Alice's test of it being of the 
form {\j)\Aj) + |0)|Ao))/V2. So Alice's cheat test allows 
her to be confident that Bob has cheated if the test fails, 
but she can never be completely confident that Bob has 
not cheated if the test passes. 

We now introduce the notation which will be used. We 
define X = {0, 1, • • • , — 1} the source space which con- 
tains the addresses j of the memory cells which compose 
Bob's database, identifying with j = the address of 
the rhetoric query. For each j we define Aj to be the 
information associated with the j-th address. As men- 
tioned in the introduction the Aj are classical messages 
composed of m bits, and they need not represent distinct 
messages (i.e. we allow the possibility that Aj = Aji for 
j 7^ j'), but they are uniquely determined by the value 
of j. In this context, Bob's database is defined as the 
ordered set V = {Aj\j G X} formed by the strings Aj. 
We define Q = Qi,Q2 the two quantum registers Alice 
uses to submit her queries; according to the protocol, she 
will first send Qi, wait for Bob's answer and then send 
Q2- In this notation, for k = 1,2, the vector \j)Qf, is the 
state of the fc-th register which carries the address of the 
j-th database memory. For all j ^ we use the vector 
I +i)Qfc to represent the superposition of the j-th query 
and the rhetoric query, i.e. 



I +J)Qk = 
(for j = we have 



(b-)Q. + |o)q J/V2 . 



(1) 



0)q. = |0>qJ- We define R = 
Ri , i?2 the registers on which Bob writes the information 
to send back to Alice. After having received Qi from 
Alice, Bob encodes the necessary information on i?i and 
sends back to her both Qi and Ri. Analogously, after 
having received Q2 , he will encode information on R2 and 
send her back both Q2 and R2 . It is useful to also define 
the vectors 

IQ>Qifli = \j)qAA,)r, , (2) 
\C±])QkB^t, = (IC'j)Qfcflfc ± |C'o)QfcflJ/V2 , (3) 

(as in Eq. (P) for j = we set |C+o)q,k, = |Co)Q,flJ. 
According to the protocol, the vectors \Cj)Q^B.k or 



\^+j)QkRk ^'^^ the states that an honest Bob should send 
back to Alice when she is preparing Q}. into the states 
\i)Qk or l+j)Qfcj respectively. In fact, the states \Cj)Qf^R^ 
and |C'+j)Qj.fl,. are the result of the qRAM transforma- 
tion when it is fed \j)Qf. and | + j)Qk^ respectively. We 
also introduce an ancillary system B to represent any 
auxiliary systems that Bob may employ when perform- 
ing his local transformation on the Alice queries, plus 
(possibly) an external environment. 

Let us use this notation to better formalize the QPQ 
protocol described above. Suppose then that Alice wants 
to address the j-th entry of the database. The protocol 
goes as follows: 

1. Alice randomly chooses between the two alternative 
scenarios a and b (see Fig.[T]). In the scenario a, she 
prepares the qubits Qi in \ j)Q^ and the qubits Q2 
in I + j)Q2- Instead, in the scenario b she prepares 
the states | -\- j)Q^ and |j)Q2- This means that, in 
the scenario a, she first sends the plain query and 
then the superposed query. On the contrary, in the 
scenario b, she first sends the superposed query and 
then the plain query. Consequently, the input state 
of the system QRB is described by the vectors 



1^'- ']QRB 



b'>Qil+J>Q2|000)ijBfor£=a, 
l+i)Qib)QjOOO)fl,Bforf =b. 



(4) 



where the index i refers to the selected scenario and 
1 000) is the fiducial initial state of the systems 
R = R1R2 and B (it is independent on £ because 
Bob does not know which scenario Alice has cho- 
sen). 

2. Now Alice sends Qi and waits until Bob gives her 
back Qi and Then, she sends Q2 and waits 
until she gets back Q2 and i?2- 

3. Honesty Test: Alice checks the states she has re- 
ceived. If she had selected scenario a, she per- 
forms a von Neumann measurement to see if QR is 
in the state \Cj)Q^R^\C+j)Q^R^ — see Eq. (p. Of 
course, this can be done in two steps: first she mea- 
sures QiRi to learn Aj and then she uses this value 
to prepare an appropriate measurement on Q2^2- 
If the measurement fails, then Alice can definitely 
conclude that Bob was cheating, otherwise she can 
assume he was honest (although she has no guaran- 
tee of it) . If she had chosen scenario b, she proceeds 
analogously, using a von Neumann measurement to 
check if QR is in the state |Cj)Q2-R2 |C'+i)Qi-Ri • 



III. BOB'S TRANSFORMATIONS 

In the QPQ protocol, Alice's privacy relies essentially 
on the fact that Bob is not allowed to operate jointly on 
Qi and Q2- This a fundamental constraint: without it. 
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Bob would be able to discover the index j without Alice 
knowing it. In fact, the subspaces Tij spanned by the 
two vectors \j)Qi \ + j)Qo_ and | + 3)Qi\j)Q2 (associated 
to the two different scenarios a and b for the query j) 
are mutually orthogonal. Thus, such vectors (and then 
the corresponding queries) could be easily distinguished 
by performing on Q1Q2 sl simple von Neumann measure- 
ment defined by the projectors associated with the spaces 
Tij. This is a measurement that would allow Bob to re- 
cover Alice's query without disturbing the input states of 
QiQ2- To prevent this cheating strategy, the QPQ pro- 
tocol forces Bob to address Qi and Q2 separately (i.e. he 
has to send the register Qi back, before Alice provides 
him the register Q2)- 

Bob's action when he receives Alice's first register can 
be described by a unitary operator Uq^j^^ which acts 
on the first register Qi, on R ^ R1R2, and on B (and 
not on the second register Q2 which is still in Alice's 
possession). Analogously, Bob's action when he receives 
the second register is described by the unitary operator 
Uq^j^^g which acts on Q2, R2, and B (and not on Qi 
and Ri which are now in Alice's possession). [Note that 
the above framework describes also the situation in which 
Bob is employing non-unitary transformations (i.e. CP- 
maps), since the space B can be thought to contain also 
the Naimark extension that transforms any CP-map into 
a unitary.] The above transformations cannot depend 
on the selected scenario £ (as Bob does not know which 
one, among £ —a and £ —h, has been selected by Alice). 
Therefore, within the ^th scenario, the global state at the 
end of the protocol is described by the vectors 



QRB = Uq^r^bU, 



(1) KT,W\ 

RB I QRB 



(5) 



with \'^y)QRB given in Eq. Q. 

A. Some useful decompositions 

Consider the transformation U'^^\ In the scenario a 
for all j we can write 



U^qIrb (Ij>qJooo) 



'0 ' 



RB) 



iRB 



(6) 



where \Cj\<^^p)Q^RB stands for the separable state 



|Cj>Qii?il*f ^>i?2S and where \V^''')q^rb is a vector or- 
thogonal to \Cj)Q^R^, i.e. 



iRi{Cj\V^^'')q^rB - 



(7) 



With this choice, Tyj^"* is the probability that the state ^ 
will be found in \Cj)Q-^^R-^. In the scenario b, instead, for 
j ^ we can write 

(I+j)qJOOO)hs) (8) 
-(1), , A Jl)iT7(l)v 



~^i-^\c+,-'^';')q,rb + ^i-ri';'\r;')Q,RB. 



As before \C+j]^f'')Q^RB = \C+j)QiR^\^f'')Q^RB and 

\V^P)q^r.b is a vector orthogonal to the "check state" 
\C+j)QiRi Alice is expecting, i.e. 

Q.R.{C+j\vf)Q,RB = 0. (9) 

Consequently l{p is the probability that the state ([5]) 
will pass the test of being in \C+j)Q^R^. The state on 
the first line of Eq. ([8]) can be expanded on a basis of 
which the state on the first line of Eq. ([6|) is a component. 
Therefore rfp and "q^^ must be related. The security 
analysis given in the following sections is based on the 
study of this relation. 

Analogous decompositions can be given for {7(2): m 
this case, however, it is useful to describe them not in 
terms of the input states, but in terms of the state of 
the system after it has passed the test on the subsystems 
QiRi- For j 7^ 0, in the scenario a this gives: 



U, 



(2) 

Q2R2B 



R2B 



(10) 



7f:(2) 



)Q2R2B + ^l-^ Wf) 



Q2R2B 



(2) 

Here \V j )q2R-,b is a vector orthogonal to \C+j)Q^R2 of 
Eq. © i.e. 



Q2R2{C+j\V\ ^)q2R: 







Thus rjj is the probability that the state (llOp will pass 
the test of being in \C-i-j)Qr,R2- Notice that the vector 

in the first line of Eq. ^ is the state of R2B 
one obtains in the scenario a if, after the first round, 
the state QiRi passes the test of being \Cj) 
Eq. In the scenario b, instead, we have 



iRi 



U, 



(2) 

Q2RB 



{\j)Q: 



l<i> 




/R2B 
2R2B 



see 



(11) 



(2) n/(2)\ 



1-^r \v. 



/Q2R2B, 



where \Vj )q2R2B is a vector orthogonal to the state 



IC, 



('2') 

and vpj ' is the probability that the state pT|) will be 
found in \Cj)Q^R,^. 

The case j — has to be treated separately: indeed, if 
Alice sends this query then both Qi and Q2 will be pre- 
pared into |0). In this case, it is then useful to define C/'-^) 
by considering its action on the vector |0)q2 |^o^'')i?2S 
with |<&o^^)fl2-B defined as in Eq. ([5]), i.e. 



Q2R2{C,\vI^^)q. 



R2B 



= 



C^&i3f|0>Q2l4'^> 



R2B 



(12) 



Q2R2B, 



5 



where again one has 

Q2-R2(C'o|V'o''^^)Q2i?,2B = . 

From the above equations, it follows that for j ^ the 
final state after Bob has finished his manipulations, 
can be written as follows for scenario a 

= y^Jp^f \C+,)Q,R,\C,)Q,nA'^f^)B 

+ 4^^^U^qIr.b\ +3)q.\vI'\,rb, (13) 

where all the terms in the second and third line are or- 
thogonal to \Cj^j)Q^R2\Cj)Q^R^. Analogously, we have 
for scenario b 

^) = \lvfvf'' \C,)Q.R^C+,)Q,RA^f)B 

+ \l^-^fu^iR.B\j)Q.\yT)Q.RB , (14) 

where, again, the states in the last two lines are orthog- 
onal to the state in the first. Instead, for j = we have 

|S^^^> -^Jvi'\l^^ \Co)q.hJCo)q,hA^^o^)b 

+ y^^^C/£ks|0)Q2l^o^'%i«B . (15) 

IV. INFORMATION-DISTURBANCE 
TRADEOFF AND PRIVACY 

In this section we present an information-disturbance 
analysis of the QPQ protocol. This will yield a trade-off 
which shows that, if Bob tries to get some information 
on Alice's queries, then she has a nonzero probability of 
detecting that he is cheating. The same analysis can be 
easily reproduced for more complicated versions of the 
protocol. For instance Alice may hide her queries into 
superpositions of randomly selected queries. In this case, 
the derivation, although more involved, is a straightfor- 
ward generalization of the one presented here. 

According to Eq. ([5]), to measure Bob's information 
gain, it is sufficient to study how the final state of the 
ancillary subsystem B depends upon Alice's query j. Ex- 
ploiting the decompositions introduced in Sec. lIIII we can 
then show that one can force B to keep no track of Al- 
ice's query by bounding the success probabilities that 
Bob will pass the QPQ honesty test. Specifically, indi- 

(£) 

eating with Pj the success probability associated with 

Alice's query j in the ^-th scenario and defining Pg\j) 
the corresponding output state of _B, in Sec. lIV Al we will 
prove the following theorem 



Theorem: Choose e £ [0, 1] so that Pf' > 1 ~ e for 
all j and £. Then there exists a state a*^ of B and a 
positive constant c < 631 such that the fidelities JT^] 
F{pg\j); ag) are bounded as follows, 

\F{p^B\jy,^h)~M<ce'/\ (16) 

for all all j and £. 

This implies that, by requiring Bob's probabilities of 
passing the honesty test to be higher than a certain 
threshold 1 — e, then the final states of B will be forced 
in the vicinity of a common fixed state , which is inde- 
pendent from the choice of j and £. This in turn implies 
that, for sufficiently small values of e, Bob will not be 
able to distinguish reliably between different values of j 
using the states in his possession at the end of the pro- 
tocol. In particular, if e = 0, i.e. if Bob wants to be 
sure that he passes the honesty test, then the final states 
for any choice of j will coincide with a*g, i.e. they will 
be completely independent from j: he cannot retain any 
memory of what Alice's query was. It is also worth notic- 
ing that since the total number of queries, as well as the 
number of scenarios £, is finite and randomly selected by 
Alice, then the requirement on in the theorem can be 
replaced by a similar condition on the average probability 
of success [l8|. 

In Sec. IIVBI we will employ the above theorem to 
bound the mutual information I that connects the 
classical variable j G {1, • • • , — 1}, which labels Alice's 
query, and Bob's estimation of this variable. Assuming 
that initially Bob does not have any prior information 
on the value of j that Alice is interested in, we will de- 
termine the value / at the end of the protocol, showing 
that this quantity is upper-bounded by the parameter e 
of Eq. p6p . Specifically, we will show that by requir- 
ing that Bob passes the honesty test with a probability 
greater than 1 — e, then Alice can bound Bob's informa- 
tion as 

/<cei/Mog2 7V, (17) 

N being the number of database entries: his information 
is upper bounded by a quantity that depends monotoni- 
cally on a lower bound to his probability P^ of passing 
the honesty test. Thus, if he wants to pass the honesty 
test with high probability, he must retain a low informa- 
tion on Alice's query. 

A. Proof of the Theorem 

Assume that Alice randomly chooses the scenarios a 
and b with probability 1/2. From Eqs. and it 
is easy to verify that the success probability that Bob 
will pass the honesty test when Alice is submitting the 
j-th query is 

p,^^{pr + p^^) = ^i^rv?^rf^f^)^m 
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3(b) 



T^pTi^P refer to the 



where pj^^ = Vj^^vf^ and 
success probabilities in the scenarios a and b, respec- 
tively (these expressions hold also for j = by setting 
tJq = ?]q ). The corresponding output density ma- 
trices of the ancillary system B is given by 

PbU) 



(19) 



where, for £ = a and b, the state Pg\j) are obtained 
by partial tracing on Alice's spaces the output vectors of 
Eqs. (Uni) and HH), i.e. 



TrQK[|sf^)(sf)| 



1 - P 



with 



'ij) 



|<i>f)B(<f, 



(2), 



(20) 



(21) 
(22) 



The quantities cr^^(j) (for £ — a and b) are the density 
matrices obtained by projecting |S^^'')Qi?,B into the state 
of QR which allows Bob to pass the honesty test (i.e. 
\Cj)QiB.i\G+j)Q2B.2 for £ =a and \C+j)Q,R,\Cj)Q^R^ for 
£=h ). 

In accordance with the theorem's hypothesis, we con- 
sider the case in which the probability of passing the 
test p8)) for an arbitrary j is higher than a certain thresh- 
old, i.e. 



P^^^ > 1 



(23) 



with e € [0, 1]. We will then prove Eq. by identifying 

the density matrix a*^ with the pure |<&g ) defined as in 
Eq. and showing that the following condition holds 

F{pfij),\^^^^))> 1-631 e'/\ (24) 

where F is the fidelity (l^ . Such inequality is a con- 
sequence of the fact that we want Bob to preserve the 
coherence of the superposition | -I- j), and at the same 
time to answer correctly to query \j). To derive it we use 
Eq. (HOI) and the condition ^ to write 

Fip^B^j)^ > (1 - ^) • (25) 



To prove Eq. 
all j one has 



it is then sufhcicnt to verify that for 



Fiaf\j), |$(^^)) = |(<i>f > 1 - 6306V4 

F{<r'^B\j), - V^'^>P > 1 - 630eV4.(26) 

The derivation is similar to the one used in Ref. [l^ and 
can be split in two parts, which will be derived in the 
following: 



i) First we use Eq. ([23| and the definitions ([6]) and ^ 
to show that for for all j ^ one has 



|(a>W|a>W)p>i_28Vi, 



(27) 



|($f^|<i>^'))|2 > [l-2(2 + V2^)Vi]2 > l-14Vi.(28) 

a) Then we use Eqs. (gT)), (US]) and the definitions ^ 
and to verify that for j 7^ one has 

I ($(2) 1^(2)^ |2 > (i_ 315 £1/4)2 > i_ 630ei/4, (29) 
|(lj'^|$(2))|2 > (i_23ei/4)2 > l-46ei/4, (30) 
which proves the theorem with c = 630. 



Derivation of Part i) 



The condition ([23|l implies the following inequalities 

(31) 



> 1 



forallj e {0, 1,--- ,iV-l}. To obtain inequality (gZl), we 
compare Eqs. ^ and ((S]) under the constraint imposed 
by Eqs. (|3T|) . In particular, we notice that for j 7^ 
Eq. ([6]) gives 

t^Q% (I + J>QjOOO)flB) = \W,)q,rb + \^W,)Q,Riim 
with 



72 
72 



(33) 



According to Eq. (pij) . the vector |AWj)Qji{B has a norm 
of the order e. This implies that for e <^ 1 the vec- 
tor (15^ almost coincides with |Wj)qi_rb- Analogously, 
Eq. ([5]) and the second inequality of Eq. ([?!]) tell us 
that for e < 1, the state U^A^j^g {\ + i)Q^\QQQ) re) al- 
most coincides with the vector |C+j; ^)q-^rb- Combin- 
ing these two observations, it follows that for e <C 1 the 

vectors and \C+j;^^j^^)Q^RB almost coincide. 

According to definition ([3]), this imphes that |<&|-^^)i?2S, 



|$Q^^)ij2B and \^y')R2B must converge for e — > 0. To 
make this statement quantitatively precise, evaluate the 
scalar product between Eqs. ([5^ and ([5]), and obtain the 
identity 



^1) 



1 = ^{W,\C+,;^f^) + 'sjl-i'\w,\vf) (34) 



It can be simplified by using the following inequalities: 



\{W,\C+,;^) 



< 



<i)\ 
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which can be easily derived from Eq. (|33p by invoking 
the orthogonality conditions Replacing the above 

expressions into Eq. (p4|l we get 



1 < 



1 



+2 Ve+ %/2 e , 
which implies 



(35) 

(36) 
(37) 



We are almost there: indeed Eq. ([36)1 coincides with 
Eq. ([28|l. To derive Eq. ([27]) we apply the triangular 



> l-2(2 + \/27) Vi, 

^f'^f)\ > 1-2(2 + ^/27) Vi. 



inequality to the vectors |$o^''), l^Y') and |$ 



.(1) 



Derivation of Part ii) 

The main difference between the set of Eqs. ([8]) and 
the set of Eqs. (fTO|) . (jlip is the fact that, in the former, 
acts on vectors with fixed RB component, while, in 
the latter, U^'^'^ operates on vectors whose R2B compo- 
nents may vary with j. We can take care of this by re- 
placing |$j-^^)h2B and \^f'')R2B with the constant vector 

W'iP)r2B- This is, of course, not surprising, given the in- 
equalities of Eqs. (|27|) and ([28]) . To see it explicitly, eval- 



uate the scalar product between Ug^j^g 



/B.2B 



and C/g^^flB 



{\j)c 



1$ 



B ) . For j 7^ it gives. 



(38) 



From the inequalities pT|) and ((28l) . it then follows that 
the modulus of Kj = {Cj^^f^lU^^^j; $[)^^) must be close 



to one. I.e. 



\kj \ > 1 - (5 + 2^2^) > 1 - 8Ve ■ 

Proceeding analogously for the vectors t/*^^^ 
and U^^^C+j;'^f^), we obtain 



(39) 



\-K,\ ^ \{C+, <pf\U^'^\+j > 1 _ 29Vi . (40) 

For all J 7^ we can then write the following decomposi- 
tions: 

USRBi\j)Q2\'^^0^)R2B) = A^,|Q;<i>f%,fl,,s (41) 
USR2Bi\+j)QM'^)R2B) 



1 - \Kj\^\Zj)Q^R^B 



)Q2R2 



(42) 



where \Zj) and are vectors orthogonal to \Cj; $^ 
and \C+j; ) respectively. The inequality ([30| can now 



be derived by taking the scalar product between Eqs. 

and (fT^ . remembering that |V^^ ') is orthogonal to |Co) 
and using Eqs. dST]) and (gO]). To derive Eq. ([29]), instead, 
we first evaluate the scalar product between Eqs. (|^T|l and 
(li^ obtaining 

I ($5'^ I $(.2)) I > 1 _ V2[4 + 5\/58]ei/4 > 1 - 60 e^/^ , 
and then we impose the triangular inequality between the 



— (2) 

vectors 1$^ 



) and 1$^'^) 



B. A bound on Bob's information 

Here we give an upper bound to Bob's information on 
the variable j. This can be done by noticing that we can 
treat i? as a quantum source which encodes the classi- 
cal information produced by the classical random source 
X. Specifically, this quantum source will be character- 
ized by the quantum ensemble £ = {pj = 1/N, pB{j)}, 
where pj — 1/N is Alice's probability of selecting the j- 
th query, and pbU) is given by Eq. (fT9|) . We can then 
give an upper bound to Bob's information by considering 
the mutual information / associated with the ensemble 



£. From the Holevo bound [15|, we obtain 



N-l 

/<x(0^5(pb)-^5]5(pb(j)), (43) 
i=o 

where ps = Y^^=ii PB{j)/N is the average state of B, 
assuming that each of Alice's queries is equiprobable. To 
simplify this expression, it is useful to express PbU) as 



PbU) ^ Pj a, + (1 - P,) a, 



(44) 



where Pj is the average probability (|18p that Bob will 
pass the test while Alice is sending the j-th query, and 
where aj and aj are the density matrices 



a,^iP^^ af^^Pp ap)/{2P,) 



(45) 



a, ^ [(1 - Pf^) + (1 - P,(b') dp]/[2{l - P,)] . 
This allows us to write also 

(46) 



(47) 



PB = 


Per 


+ (1- 


P)a 


1 


with 












JV-l 






N-l 


a = 


E 


Pj 

NP^3 


, a = 


E 




J=0 









2R2B 



where P = J2j Pjl-^ Bob's average probability of pass- 
ing the honesty test, which, according to Eq. (|23|) . must 
be greater than 1 — e. Equations (|44|) and (l46|) can then 
be exploited to produce the following inequalities 

S{pb) < H2{P)+P S{a) + il-P) S{a) , 
S{pb{j)) > Pj S{a,) + (1 - Pi) S{a,) , (48) 
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where H2{x) = —x log a; — (1 — x) log(l — x) is the binary 
entropy. Therefore Eq. ([^5]) gives 

/ < H2{P) + P x({^;^3}) + (1 - n Xii^^y^^})^ 

where x({ i\r(T^p) ' ^ji) ^he Holevo information associ- 
ated with a source characterized by probabilities j^(j^_'p-^ ■ 
This quantity can never be bigger than logj N (the same 
applies to xii'NP^'^j})^ but we are not going to use it). 
Therefore, we can write 

/ < H2{P) + P X{{^;^j}) + (1 - ^) log2 (49) 

which shows that, in the limit in which P — > 1, the upper 
bound is only given by xiiwp'^^i^)- '^be claim is that 
for P ~ 1 this quantity vanishes. Indeed, according to 
Eq. ([26]) we know that for e ^ the density matrices aj 

converge to the fixed state |$q )b, hence 

i,hn^x({^; a,}) = x({^; = . (50) 

More generally, we now show that / can be bounded from 
above to any value > for P sufficiently close to 1. 

In order to exploit the above relations to give a bound 
on /, let us introduce the probabilities 

<Z,^(<i>(2)K-|$(2))>l-630 ei/4, (51) 
q ^ ($('Vl^^'^> = ^ ^ > 1 - 630 ^ (52) 

(the inequalities simply follow from Eq. (j^S]) ). We can 
then write 

a = g|ci>('')(<i>(')| + (l-g)T + A, (53) 
where Tj are density matrices formed by vectors \v_l) 

(2) 

orthogonal to I'&g ), Aj are traceless operators con- 
taining off-diagonal terms of the form |$q )(i;j^|, and 
T = J2j Pj'^j /i-^-P)- We now introduce a unital com- 
pletely positive trace preserving (CPT) map T which de- 

stroys the off-diagonal terms j^J, ){v±_\ while preserving 
the corresponding diagonal terms, and observe that the 
von Neumann entropy always increases under the action 
of a unital map [16|. Therefore, 

X({i^;^,}) < S{a)<S{T{cj)) 

= S{q\^'i^){^'i^\ + {l-q)T) 

< H^iq) + (1 - q)SiT) . (54) 

Now, since t is a density matrix in B, the quantity S{t) 
can always be upper bounded by log2 ds with cIb the 
dimension of B. This is not very useful, as cis can be 



arbitrarily large. However, a better solution can be ob- 
tained. Indeed, we can show that the following inequality 
holds: 

5(t) <log2(2iV) . (55) 

To verify this, we note that the ensemble {^js'jO-j} is 
composed by N density matrices of the form where 

a^^^ and crj^'* are pure vectors satisfying the conditions 
given in Eq. ((26)) . For small e, these 2N vectors are 
parallel: therefore, there exists a partial isometry X con- 
necting P to a Hilbert space B' of dimension 2N which 
maintains their relative distances intact. Applying such 
an isometry to all elements of { ; aj } we obtain a new 

ensemble of P', whose elements satisfy to the 

same relations as the original one. In particular, the two 
ensembles possess the same value of x (i^i fact, x is an 
entropic quantity, whose value depends only on the rela- 
tions among the ensemble elements), i.e. 

x{{^;<yj})^x{{^;<jj}) : (56) 

We can now apply to x{{^pl'^j}) the inequahties (|5i)) : 
the only difference being that now r is a density matrix 
of P' and hence it satisfies the condition (|55)) . Therefore, 
we can conclude 

x({^;^,}) < i?2(g) + (i-9)iog2(2iV). 

Replacing this into ((49)) . we finally find 

/ < H2{P) + P H2{q) + [l-q) + {2- P -q) log2 ^(57) 

which thanks to Eq. ((52)) . for sufficiently large N yields 
Eq. ((T7)) . This means that Alice can limit Bob's informa- 
tion /, by employing in her tests a value of e sufficiently 
small. 



V. QPQ VARIANTS AND ENTANGLEMENT 
ASSISTED QPQ 

In this section we discuss few variants of the QPQ 
protocol that can be used to improve the security. In 
particular we introduce an entanglement assisted QPQ 
in which Alice entangles her registers Q1.2 with a local 
ancilla before sending them to Bob. As before, we will 
focus for simplicity on rhetoric versions of such variants, 
even though similar considerations can be applied also to 
other (non-rhetoric) QPQ versions. 

An example of cheating strategy will allow us to put in 
evidence the aspects of QPQ that these variants are able 
to improve. Specifically, suppose that Bob performs a 
projective measure on all of Alice's queries to determine 
the value of the index j . As we have seen in the previous 
section, he will be by necessity disturbing Alice's state in 
average, so that she will have some finite probability to 
find out he is cheating. However, if she had chosen sce- 
nario a [see Eq. (d))], then Bob's first measurement on Qi 
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will return j. Now, suppose that his second measurement 
on Alice's second request Q2 returns the value "0" (this 
happens with probability 1/2), then Bob will know that 
Alice had chosen scenario a and that her query was j . In 
this particular case, he will be able to evade detection if 
he re-prepares the system Q2 in the state | + j)Q2- [Of 
course, this does not mean that he will evade detection 
in general, as this is a situation that is particularly lucky 
for him, but that has only a small chance of presenting 
itself. ] A simple variant of the QPQ protocol can be 
used to reduce the success probability of this particular 
cheating strategy and in general to strengthen the secu- 
rity of the whole procedure. It consists in allowing Alice 
to replace the superposition | + j)Qk with states of the 
form (|j)Qfc + e'^|0)Qj.)/\/2, the phase 9 being a parame- 
ter randomly selected by Alice. Since Bob does not know 
the value of 9, it will be clearly impossible for him to re- 
prepare the correct reply state after his measurement: as 
a result his probability of cheating using the simple strat- 
egy presented above will be decreased [l^- Furthermore 
since for each given choice of 9, the results of Sec. IIVI 
apply, one expects that the use of randomly selected 9s 
will result in a general security enhancement of the QPQ 
protocol. 

In the previous example, the parameter is a secret 
parameter whose value, unknown to Bob, prevents him 
from sending the correct answers to Alice. Another QPQ 
variant employs entanglement to enhance security. Sup- 
pose that, instead of presenting Bob with the states \ j)Q^ 
and I +j)Q^, = (|j)gfc + |0)qJ/\/2, as requested by the 
QPQ protocol, Alice uses the states 

\j)q, and|Aj)Q,A = ^[|j)QjO)A + |0)QjjU] ,(58) 

where the system A is an ancillary system that Alice 
does not hand over to Bob. The protocol now follows the 
same procedure as the "canonical" QPQ described previ- 
ously, but employing the state | A j) in place of the state 
I + j). Of course, Alice's honesty test must be appropri- 
ately modified, as she has to test whether Bob's actions 
have destroyed the entanglement between the ancillary 
system A and the Qk register. The main difference with 
the canonical QPQ is that here half of the times Bob has 
only access to a part of an entangled state: he is even 
more limited in re-preparing the states for Alice than 
in the canonical QPQ. It is easy to see that the secu- 
rity proof given in the previous sections can be straight- 
forwardly extended to this version of the protocol, and 
that the security bounds derived above still apply: indeed 
they can be made even more stringent as Bob has only a 
limited capacity in his transformations on Alice's queries, 
since he does not have access to the ancillary space A. 
In the situations in which the information carriers em- 
ployed in the queries can be put in a superposition of 
traveling in different directions this version of the 
protocol can easily be reduced to the canonical QPQ by 
simply supposing that Alice is in the possession of the 
database element j = corresponding to the rhetoric 



question, while, obviously. Bob is in possession of all the 
remaining database elements. 



VI. WHAT IF ALICE CANNOT CHECK THE 
ANSWER TO HER QUERIES INDEPENDENTLY 
FROM BOB? 

In deriving the QPQ protocol it is assumed that for 
each query j G {1, 2, • • • , TV} there is a unique possible 
answer Aj (notice however that two distinct queries can 
have the same answer — i.e. Aj can coincides with Aji ) . 
One way to enforce this condition in a realistic scenario 
is to admit the possibility that Alice can independently 
verify the answer that Bob is sending to her 20]. In this 
section we will show that if this is not the case then the 
basic structure of QPQ does not prevent Bob to cheat 
without being discovered by Alice. In Sec. IVIII we will 
discuss how one can overcome these limitations, at least 
temporarily, by allowing Alice (or third parties that col- 
laborate with her) to reiterate her query at random times. 



A. Successful cheating strategies for a database 
with multiple valid answers 

Here we drop the above hypothesis and give two ex- 
amples of successful cheating strategies that allow Bob 
to spy on Alice's query, and still pass the honesty test 
with probability 1. 



1. Successful cheating for the rhetoric version of QPQ, for 
databases with multiple valid answers 

Let us start by considering the case of a database with 
N = 3 possible entries in which both the query j = 1 
and the query j — 2 admit two distinguishable answers. 
In particular let A'i^\ a[ be the answers for j — I and 
A'f^ those for j = 2. 

Now, suppose that the unitary Uq^j^^ of Eq. ([5]) that 
Bob applies to QiRB performs the following mapping 



|0)QjO)flJO)B 

\1)qA0)rA0)b 
\2)qA0)rA0)b 



\0)qMo)rAO)b , 

|i)q. 

|2)q. 



l4+'>Hil+2>B + l4''>^l|-2)i 
V2 



where \Aq) is the answer to the rhetoric query and where 

_ \0)b±\1)b _ \0)b±\2)b 
V2 ' = ^ ,(59) 

with |0)b,|1)s and \2)b being orthonormal states of 

(2) 

Bob's space B. Analogously define Uq^^^^ as the uni- 
tary operator which performs the following transforma- 
tion |0)qJO)kJV)b ^ \^)qMo)r,\4,)b for all oi B 
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and 

\1}q,\0)r,\±1)b - |l)Qj4^))flJ±l)B, 

\2)Q,\0)n,\±2)B ^ |2)Qj4±))flJ±3)B. (60) 

According to the above assumptions, if Alice's query is 
the rhetoric one (i.e j = 0) the final state ^ of the QPQ 
protocol is \Q)qJAo) ii^\0)Q^\Ao) ii^\0) B- In this case Bob 
passes the test and gets |0)b as output state. For j = 2, 3, 
instead, we have two possibilities. In the scenario £ —a. 
the final state will be 

2 \j)Qi\Aj )Ri\+J)b 

H 2 \j)Ql\Aj )Ri\~3)b, 

while in the scenario £ =b it will be 

+ '^'^'^-'^'"^V°^-^-'-^°^-- b-)g2l4'^)^^|-.-)B. 

This means that independently from the selected value of 
£ Alice will receive the answer A^'^'' half of the times and 

the answer A^j ^ in the other half of the times, while Bob 
will always pass the honesty test. Moreover in the case 
in which Alice receives the answer A^^"^ , Bob will get the 
state \+ j)B while in the case in which Alice receives the 
answer A^"^ Bob will get the state \ — j)B- In average 
the state B is (|0)b(0| + |j)s(i|s)/2. 

In conclusion, using J7(i) and /7(2) as in the previous 
paragraphs. Bob will always pass the honesty test. Fur- 
thermore the output state of B he gets at the end of the 
protocol will be partially correlated with the query j as 
follows: 



Query 


output state B 


J=0 


|0)b(0| 


J = l 


(|0)b(0| + |1>b(1|)/2 


J = 2 


(|0)b(0| + |2>b(2|)/2 



(61) 



Therefore by performing a simple von Neumann measure- 
ment on B, Bob will be able to extract some information 
on j, without Alice having any chance of detecting it. 

Notice that, in the example presented here, Bob's 
info is limited by the partial overlap between the states 
|0)b(0|, (|0)b(0| + |1)b(1|)/2 and (|0)b(0| + |2)b(2|)/2. 
However, this is not a fundamental limitation as one can 
construct more complex examples (e.g. databases with 
more than two possible answers for a single query) for 
which the amount of info that Bob acquires on j can be 
arbitrarily high. It is also important to stress that the 
above example can be used also to show that Bob will be 
able to cheat also in the case in which Alice adopts QPQ 
strategies more sophisticated then the simple rhetoric 
version discussed in this paper (e.g. instead of sending 
superpositions of the form (|j) -I- |0))/-\/2 she sends arbi- 
trary superpositions a\j) + /3|0) with a and /3 arbitrary 
amplitudes that only she knows). 



2. Successful cheating for the non-rhetoric version of QPQ, 
for databases with multiple valid answers 

Here we analyze how multiple valid answers may affect 
the performance of the non-rhetoric version of the QPQ 
protocol (i.e. where Alice is not using the rhetoric ques- 
tion J = 0). We give an example of a successful cheating 
strategy for a database with = 3 queries. For the sake 
of simplicity, we will assume that j = 0, 1 have single an- 
swers Aq and Ai respectively, but that j = 2 is associated 
with two distinguishable answers ^2^''. As an example 
of a non-rhetoric QPQ protocol we consider the case in 
which Alice, to get the information associated with the 
j query, chooses another query (say the j'-th one) and 
sends sequentially, in random order, states of the form 
a\j) +/3|j'), \j) and \j') {a and P being amplitudes that 
only she knows). 

As in the case of the rhetoric version of the protocol, 
Bob's action can be described by unitaries. In this case 
they are [/(^),[/(^) and J7^^^. Notice that the first acts on 
QiRB the second on Q2R2R3B and the third on Q3R3B, 
with obvious choice of the notation for the subspaces in- 
volved. For our present purpose, it is sufficient to as- 
sume that for k — 1,2, 3, U^'^^ acts non-trivially only on 
QkRkB (this is a particular instance of the general case). 
We can also assume that J/'"'^' ,J7^^-' and [/^'^^ are identical. 
We then define such operators according to the following 
rules: 

<kB(b>QjO>flJO)B) = \j)QM,)Rk\0)B , 
uSLBi\j)QMRj2)B) = |j)QjA,)flfe|2)B , 

if j = 0,1 while, for j = 2, 
C^Qlks(|2>QJ0>flJ0)B) 

= \2)q,{\4+^)r, \ + 2)b + \A-^)r, I - 2)b)/V2 , 
<fi.B(|2>QjO>Hj2>B) = |2)qJ4±))^,|2)b , 

where | ± 2) b are defined in Eq. ([5^]) . If initial state of 
the B is |0)b, one can easily verify that Bob will always 
pass Alice's honesty test (no matter which superposition 
a\j) + (3\j') she is using) and that he can recover part of 
the information associated with the query. In this simple 
example, for instance, he has a not null probability to 
identify the query j = 2. As before, this counterexample 
can be easily generalized and improved. 

VII. POSSIBLE SOLUTIONS 

The case in which different answers may correspond to 
the same query is, of course, quite relevant, so that it is 
natural to ask if the QPQ protocol can be modified to 
apply also to this situation. In this section we give some 
methods that allow Alice to foil the cheating strategies 
described in the previous section temporarily, for as long 
as Bob is expecting further queries. 
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In the case in which Alice can independently check how 
many different replies correspond to the each query (and 
which are they) , then there is a simple solution that pre- 
vents Bob from cheating: we must require Bob to provide 
all possible replies in a pre-established order (e.g. alpha- 
betically) when he is presented the jth query. In this 
way, each query has again a unique composite answer 
(composed by the ordered succession of all the possible 
answers), so that we are reduced to the canonical QPQ 
protocol, and Bob is prevented from cheating. 

If, however, Alice cannot independently establish the 
number of different replies to each query, then a different 
strategy is necessary. [Note that the security proofs given 
in Sects. IIIII and Hvl cease to apply to this version of the 
protocol, although conceivably they may be extended to 
cover also this situation.] 

First of all, we must require that each of the possible 
replies to the jth query is uniquely indexed by Bob. This 
means that there should be a unique answer to the ques- 
tion "What is the fcth possible reply to the jth query?" 
Of course, this by itself is insufficient to guarantee that 
Bob cannot employ the cheating strategies of the previous 
section, as Alice cannot independently check the unique- 
ness of Bob's indexing (since she does not know all the 
possible answers to the jth query). However, she can 
check whether Bob will always answer in the same way 
to repeated queries. From Eqs. ([50)1 and (pT|) . it follows 
that, as soon as Bob measures his system B, he might 
gain information on the value of j, but at the same time 
he loses information on which (among all the possible an- 
swers to the jth query) he had presented to Alice. If he 
wants to be sure that he keeps on providing always the 
same answer to repeated queries on Alice's part, he must 
preserve his system B without trying to extract informa- 
tion from it. He can measure the system B only when he 
is confident that Alice will not be asking him the same 
query anymore. In a multi-party scenario, we can also 
think of a situation where multiple cooperating parties 
ask Bob the same queries and compare the replies they 
receive from him. If they find that his answers when he 
is asked the A:th reply to the jth query to do not match, 
then they can conclude that he has been cheating: he has 
not assigned a unique index to all the possible replies to 
the jth query, and he has taken advantage of the cheating 
strategies detailed in the previous section. 

Bob is thus placed in the awkward situation of possess- 
ing information on Alice's query in the system B entirely 
in his possession, but of being prevented from accessing 
such information. This is a temporary solution, since, 



as soon as Bob is certain that he will not be asked the 
jth query anymore, he can measure the system B and 
extract the information stored on it. He is kept honest 
only as long as he is in business (and, of course, he is in 
business only as long as he is honest). 

VIII. CONCLUSIONS 

In conclusion, we have given a security proof of the 
QPQ protocol introduced in Q. It is based on quanti- 
tative information-disturbance tradeoffs which place an 
upper bound on the information Bob can retain on Al- 
ice's query in terms of the disturbance he is producing on 
the states that he is handing back to her (see Sects. IIIII 
and lIVp . A nonzero information retained by Bob implies 
a nonzero disturbance on Alice's states, which she can 
detect with a simple measurement (the "honesty test"). 
If the honesty test fails, she can conclude that Bob has 
certainly cheated. If, on the other hand, the test passes, 
she can tentatively conclude that Bob has not cheated 
(although she cannot be certain of it). 

In addition, we have given some variants of the proto- 
col to further increase Alice's security, i.e. to reduce Bob's 
probability of evading detection when cheating. These 
variants either exploit secret parameters, or exploit en- 
tanglement with an ancillary system Alice retains in her 
possession (see Sect. N} . 

Finally, we have seen that Bob can successfully cheat 
without being detected if we drop the assumption (which 
is at the basis of the QPQ protocol) that to each query 
there can be associated only a single answer Aj (see 
Sect. IVip . In fact, if we assume that there exist two (or 
more) different replies Aj ^ Aj to the query j, then Bob 
can find out the value of j, evading detection by Alice 
with certainty. We discussed some strategies that allow 
Alice to protect herself also in this situation, at least as 
long as Bob can expect further queries from her or from 
other parties who may cooperate with her (see Sect. lVIl| ). 
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